5 Questions to Ask When Planning to Deploy AI for Cybersecurity
Artificial intelligence is overhyped for cybersecurity, according to Rene Kolga, senior director of product and marketing at Nyotron. “Of course, I agree that machine learning algorithms and AI represent a transformational trend overall — no matter in which industry. But the current upswelling of attention the topic has received — within cybersecurity and seemingly everywhere else — could plunge the field into another period of AI winter, where funding and thus progress cools to a near standstill, Kolga reckons. “We have had multiple AI winters in the past 50 to 60 years,” he explained. “We are potentially heading to this point again because the field is so prone to overpromise.”
By late 2018, it seems every company either says they do AI or are involved in an AI-based project, but 4 percent of CIOs internationally say they have AI projects in production,
according to Gartner’s Hype Cycle for Artificial Intelligence from July 2018. In that same month, The Guardian published an exposé on the explosion of what it termed “pseudo AI” in which companies use a mix of algorithms buttressed by human labor in the background.
So whether one is evaluating the field of AI at large, or evaluating an AI-based strategy to improve the security of an IoT application, it is important “to understand what’s real and what’s not,” said Kolga, who also shared the following questions to help companies sift through the hype.
1. Are You Sure You Have Access to Good Data?
Some companies are so enamored with the prospects of AI-based cybersecurity and the power of the latest algorithms that they will rush to deploy the technology without ensuring they have the data they need for the program to be successful in the long-run.
But another related problem is that a company’s leaders may think they have access to good data when they have been unknowingly breached. A company might use User Entity Behavior Analytics products, for instance, to understand the baseline behavior of the network of their devices and users. After the initial period of baselining, they can theoretically detect anomalies. “What’s dangerous about this is that if the malware or a malicious insider is already inside your environment, now the algorithm will baseline that as the norm,” Kolga said. “If you do that, will you really be able to detect an infection?”
It is entirely possible that an organization’s cyber leaders might think their environment is safe only to discover later that it was not. The Poneman 2017 Cost of a Data Breach Study found that it took an organization an average of 206 days to detect a breach. And a 2017 Inc. article reports that 60 percent of small businesses in the United States are hacked each year.
2. Are You Working on Developing an AI-based Crystal Ball?
The important thing to remember about subjects such as big data and analytics is that it is a much more reliable strategy to codify past behavior than it is to use the technology to invent the future. The plan to use big data, machine learning, artificial intelligence, etc. to “enumerate badness” as Marcus Ranum has put it, is problematic in that there are vastly more types of “bad” in the form of malware and attacks than there is “good.” So if you feed a machine learning algorithm a massive trove of data related to known attacks and malware, it will likely be able to detect subtle variations of known malware from the past. But it will have less of a shot at detecting an entirely new form of malware or a new attack methodology. “Sometimes companies take the position that AI is this really magical tool that can detect everything,” Kolga said. “But then if you think about how it works, it’s trained on the known, old malware samples.”